2/11/2010 @ 11:40AM

No Hacker Left Behind

Invite a few ubergeeks over to play a friendly war game, and you can bet the winner will be the one who most creatively breaks the rules. Last July, during the inaugural round of the online cybersecurity simulation game NetWars, 75 contestants vied to hack into and control the game’s 12 servers, planting their user names on the conquered computers to declare their territory. But one contestant, known as SevenM7, had other ideas. Instead of focusing on the game’s targets, he hijacked NetWars’ scorekeeping algorithm. SevenM7′s tally of wins spiked. When the game ended he had three times as many points as any of his baffled competitors.

Some might view SevenM7 (in real life, a 17-year-old high school junior named Michael Coppola) as a cheater or, worse, a cybercriminal in training. Alan Paller sees him as the future of America’s national security.

“The Internet is God’s gift to espionage,” says Paller, who created NetWars and serves as its chief evangelist. “This is a skill we need Americans to have. But even more we need to find the ones who are already talented and make sure they’re working for the good guys.”

Twenty-one years ago Paller founded a cybersecurity school known as the Sans Institute. The for-profit school, in Bethesda, Md., has 110,000 alumni, most of whom have taken an intensive six-day course in data security. (Paller, 64, directs research at the institute.) That’s just a start on what this country needs in the age of digital espionage. The Chinese cyberattacks that recently accessed Google’s network and those of dozens of other companies, Paller points out, were only the latest in a string of breaches that began in 2002 and have long demonstrated America’s acute lack of data security skills.

In October 2008 Paller sat in on a conference with President Obama’s interim cybersecurity chief Melissa Hathaway and six other security gurus from the NSA, White House and Department of Defense. One verdict of that meeting: America has maybe 1,000 highly skilled cybersecurity experts but needs 20,000.

Paller’s solution: Use competitions to find young hackers and connect them with government and private industry recruiters. The contests he promotes include the Air Force’s Cyber Patriot competition, which has high school contestants fending off a “Red Team” of hackers attempting to steal their data, and the Department of Defense’s Digital Forensics Challenge, in which teens and college students compete to trace digital intrusions and reconstruct incomplete data sources.

NetWars, Paller’s pet project within this collection of cybergames, takes his educational mission a controversial step further. It aims to find and foster teens’ skills for digital offense: finding vulnerabilities and exploiting them to steal information. “Unless you know how to attack, you don’t know how to defend,” says Paller.

That approach appeals to cybersecurity recruiters. Two government agencies that asked not to be named are offering internships to winners, and networking giant Cisco is considering signing on as well.

But NetWars’ focus on offensive hacking also raises eyebrows, even among some of Paller’s cybertraining colleagues. James Christy, who runs the Digital Forensics Challenge, admits that a minority of hacker-trained students will “go to the dark side,” though he believes the benefits will outweigh the creation of a few young cybercriminals. Sanford Schlitt, who coordinates the Cyber Patriot competition, argues that teaching cyberoffense crosses “a thin line between training kids and creating hackers.”

Paller counters that NetWars aims to find hackers, not train them. He also points out that America’s potential enemies aren’t shying away from cyberoffense education. In a congressional hearing last May Paller told the story of Tan Dailin, a Chinese graduate student who won several government-sponsored hacking competitions in 2005, before he was caught intruding on the Pentagon’s networks. “China’s People’s Liberation Army is running these competitions all the time, aiming their recruits at the U.S.,” Paller says. “Shouldn’t we be looking for our best talent the way other countries are?”